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(57) Abstract: 

PROBLEM TO BE SOLVED: To provide a virus check 
network with improved efficiency to prevent viruses on a 

network side. 

SOLUTION: A virus pattern housing means 11 houses 
virus patterns. A virus check means 2 executes virus 
check whether a packet is an infected packet Pa or not 
based on the virus patterns on the network side. At the 
time of detecting an infected packet Pa, a packet 
transmitting means 13 stands a bit showing infection 
within the packet and transmits it as an infection 
displaying packet Pb. An infected packet detecting means 
21 detects the infected packet. A file execution control 
means 22 makes a file execution-disable corresponding 
to the infected packet. A virus pattern information 
delivering means 31 delivers virus pattern information 
to virus check devices 10a to lOn by multicasting. A 
virus pattern information managing means 32 uniformly 
manages virus pattern information. 
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(74) A 





(57) mm i. g 

)u:^/^f->^^m-t^c 'y ^ )v:^'f-:^y 2 
Y-y HP a;J»S56»<0'>-f ^'Sr7-7 

y h P b t LTj2l«-r^o y h^m¥S 

2 1 jg^/N-^ y h P a «r1taj-t'5)o V r ;HlffSIJ 

2 2 14, jgi^/N-y -y h lz*tlDi-^ 7 r ^ ^l^Sr^fi' 
^pTt::-r.5.o ;i^jx./n"5' - ^If^gei^j^S 3 1 (±. ■^7 
■i >1f^^:-7;p-f-^-vx h-e'^7'f;p;^^i-y 

^'Jiai 0 a~ 1 0 ntcBB^fr-t'S.o ^WX/n'*' - >1f 
«ira#S3 2{±';7^;w;^/s-j'->1t#«r-7c:^a-r 




1 

tLx^mirh^^'r yY^m^^t^ :^^hmf^^f^^m. w 

y r ^ )Ui:m^li^'^i^Z't^y r ^ )im^imm^^t^ i)- 
BBSS tL-2> c ^ ^#gj:i:i- 1 ffi<ftO'> >f 

jLy ^ y^-^y h 7 - ^ o 

[S*:S4l ^ ^^^-^^ ^y ^mmi^. mZ'y^ 30 

y VV-^o 

Ilf*«5j mz'y ^ )\^:^^^y "^^^mu m^^^ 

u-g- tf ^ ^ ^ #gjc 1 1" ^ tt^Jl 1 i£«co ^ ^ X ^ ^ 
•y ^ y h 7 — ^ o 

t i" ^ » 1 f e« CO »^ -r ;w ;^ J. *y ^ *s y 

y h 7 - o 



1 - 1 6 7 4 8 7 

2 

S/N^^ y h Misfit. ^^oi&omrlB^^^wx-^^ y^g 

't-^fS*]llfBfgO»^^ ;U>^-^jr.*y i>:T> y Y^-^o 

^ ^ h *^®i:"r^W*a 8ffi«<7)«> >f y 

^ ^-y h 7-^o 

T. 'i7^;l/;^(IiS*LTv>-5,iS^/N->^'y b;6-5;0-<;O^fS 

'!7>r;ux-f-j: 'y^=&#. y b7-^1fflT-^T^ 

^y 

y h ^tLXXWk^TT-^^'r yYh X.X^^m'^h^^'r y Y 

im^m 1 1 1 )V7.^^ y ^ ^:Sit7t:/^"y yY^ 

^ )l^^{zB^^fiX^^^Z t ^^-tfcf'y Y^^^L^X^^ 
h^^'ry Y^^^^^'ry Yt'L.Xl^^'t^mVk^^'ry Y 

mzmk^^'r y Y ^l^ffi X^fz'm^Xt^ ^^tf ^ 7 r ^ 
[iS*«l 2 1 ^^y b 7-^l*fC0»^^ ;^y;1t^tl^S 

^ ;^;^/^'5^->^ff«?:m^IS:r- y h 7-^rttigBS$tL 
[0 0 0 U 

[f&?^oSi-^}$#f53^R[^l ^^mit^ ^ )v::^^^y ^ 
yY^l-^. ^ ^ )Vy.^:^y ^^m.. ^^^T>Yn% 

S^t/::/^•^ y b =&$^-r^^^^r > y h 

[0 0 0 21 



-2- 



3 

[0 0 0 3] ^>\i^-9 ^ ^ )V7s(Dmi)Wt 

[0 0 0 4] fi&lfe. ^> y h 7-^ ^'!7 ^ 7U;^co^^7>-ib 

[0 0 0 5] 

[0 0 0 6] ^(Dfzisb. ^ )^^i<^nLXit^ /s- 

[0 0 0 7] tfz. 'ijt^<o^^^T> hffl-eo'^ ^ 

[0 0 0 8] ^^mi^Z(DX')^^.^Az^^X^j:'^Kfzi, 
[0 0 0 9] -^fz^ ^m^<r>\^(Dm'^lt. 

fi^^nmLx. ^ ^ )\^>^Mmmmo\ti]±i:m'z>fz^ 

[0 0 10] tfz^ :$:^m(Dm<DS^m. ^-yhU-^ 

a o ^ ^ ;u X If ««3a^ ^ Jitt-r ^ ^ t * ^ o 
[0 0 1 1 1 

mmim^ir^fzib<D^m] ^^mxit±Mmmim 

^k^ijry h P a T^^S^^O-^ >f ;l/ X jn y ^ *y h 7- 



(3) 1 1 - 1 6 7 4 8 7 

4 

^^XXmr^^Tf^^^^y hFbt LXmrnir^^^^y h 

i^^fil 0 a- 1 0 n fef y htit to'v^T. iS^/N' 
^•y hP a ^f^mi-;i>iS^/N-^'y M^m¥g2 1 ^ 
Vk^^'ry h P a tc^tl^>i-^7r ^;w^||ff^Dr(ci-^-7 
r ^;u^ff©Jifl!¥a2 2 ^ ^ ^ T > 

hS*2 0a-2 0mt. ^ ;uX/N-i5^ - 
-^^^X b-e»>^;l^;:^-^^y ^^gl 0 a-l 0 n tigS 

yN-^ - >mm-itmm.irh ^ < ;i.xy<^ - >it«es 

#S3 2^. :6>'b«*^tL^'>>r;wxlf«lra^3 0 
[0 0 12] c:c:t% *^7>r;^;^/^•^->^&ffl^al i 

ti, ^ yVTs/'^^-y^^m-th^ ^ ^ )V7.^juy 
ai 2(±. SMLT^c/N-y y h ^»t7 ^ ;UXyN-^->ti^) h 
o'v^T. •^-f ;^>?.tiiSS^LTv^;E)®^yN'y y h P a7)-S 
i)^(r>tf ^ )V:^^:x^y ^^^^y b 7 - fflS "tTff -9 o >^^'^ y 
20 3 (i. S^^'?^ ^ b P a ^^aLfsr^&^g- 

(i. -y hl^iob'-y h^Tj^TTiSS^S^yN- 

^y bPbi: LTisM-r^o S*^^•^ y M^m#g2 1 
fi, tf y hU*> to'v^T. |g*>'N-^r y h p a ?:1^tiJ-r 

bT*7^;P>?.^j^'y i5^^ei 0 a-1 0 ntCE^ftj-f^o 
7^;ux/N°^->1f^l^a¥S3 2(i> 7^;i/XyN'^- 

[0013] 

^r^DStTiteeB-r^o [HI fi*l&5g0 7^;U>^^j^'y 
^-y h'7-^<DWMmx$>^o 

[0 0 14] 7^ ^l/X'^j. -y :^^^> y h 7-^ 1 (i. 7^ 
;UX^jL'y :^^^E1 0 a- 1 0 n i>^>fr>bS* 
20a-20m(h. 7 3 0 ^ . 

^^tt. 7'i';u;^^j^y i^SrffoT. 7 ;u ;^ H A S: 

[0 0 15] 7^;u>;yN'^->*&SS^Si lii. 7>r;i^ 

S^iL/i>'^•^ ♦y b ^mLX$>^y ^ )l^y./^^-> 

SrJt«cL. >^^•y -y b;&^7'f ;w;^tcS^LTv^^S^ 
y^•^y hP a7i^5;^*07>r;u;^f"jiu/i5'4::?-y h7-^^ 

[0 0 16] /N'^ y hi^M^gl 3{i. iS^yN"^ y hP 
a=Sr^*nL/::*^(i. ^^/n-^^ y h P a rtO* Jb;&-i:i6 

P b t LTiiM-r^o 

[0 0 17] m^^^^y ht^ai¥S2 1 (i. S^^^/n' 
50 ^ y hP bOtf y htit to^^r. -etLT&^iS^^^^ y b 



5 

[0 0 18] ^ ^ )V7sJ^9-ymmM^^^2 lit, 

^^^(D^ ^ )V7.^:z. 7 ^^fi 1 0 a 1 0 n 
[0 0 2 0] '^^';PX^a. 'y i^^fiSriest;^^;^ 

^^^T> hS*2 0 a-2 Om^. ^ ^ )l^:^m 

[0 0 2 1 ] mr-l>t)U-^R 1. R2. R3> R4i)^^ 

|feo^^#Oo ^^;ux^ji:.y ^;w~^R2H»>^;PX 

\iZ^^^Ty hS*2 0 a- 2 OmtmU-tho 
[0 0 2 2] ^ ^ )V7.'^:x.y ^ )V-9R\-RA{t^ ^ 

^L'Xcot^cogp^ (5felSSB. ^PflSr^ ^l-^SB) ^^:i:. y^ 
^-r^;6^?:^ffl$^-ti:Tiot). ^Jl^ ^Sffi: 1 lil^iaiai" 
^ i: 9 t^E® $ 'i) o 

[0 0 2 3] #'!7>r y ^;w-^R 1 - R 4 

;^Xltffi§31^ 3 0 7^^tb'v;l.^^-v>^ hT-gS*$tt 

[0 0 2 4] §^Ly::/^•^'y h«tL. ^^)V7.^:x.y 
^)V-9R \ -'RA{t^n\^xhh^^)v:y./^9-yv 
Ptitect-^o t LiS^LTv^^J#>^tiii/N->5r^y Kit: 

[0 0 2 5] -e-O^^I^B#tCji®7CtC^LTti»«/N">>- y 

bPwiSrilL. y ^;i--^R 1 -R 4 

[0 0 2 6] »?fi^f^/^'^•y h P w2 «:$ttflio;^^^'> 

«y R 1 -R 4 (i. ^<D^ >( 

7> bffl*2 0 a-2 Om-eti. /n"^ y h SrfftlSi 
y h Pw 1 /'iofs:J#^t:(i^--^fti> *y-lr 
[0 0 2 7] ^^cti-^-r ;ux/N-^-> vPdov^Tlftqg-t- 



(4) If Pi¥ 1 1 - 1 6 7 4 8 7 

6 

•^^;i/j:^««^a^3 0iiff7ttii^jSLfc'>^;ux 
/N*^->VPS:'7;i/'^^-VX hr*#»!7^;l/X^j:. y 

1 0 a - 1 0 n{zmn. ^ )V y ^ )V- 9 

1 0 a - 1 0 n(i^K;6^*tt(ir^ ^ ;^;^/^'^ - > =^Mfr 

[0 0 2 8] (ll3(i'^'r>'^XyN'^-:xVPO-7:t---Ty 

Y^7r^^mx:h^o Y;^>^/^"^~>vp^i. -xy^v 

70 P-ltlEther Redder i: IP Hedder (Mult icast) t Srit 

00 -g-LT. '!7^ ;i^>^/N'^->K;ftfSr5^i-n- KVP- 
2i:. '^^r ;w>^<7)tt^Sr^i-vUT;u#^VP-3 t> 

[0 0 2 9] zfih(oht{z, mM<o^ ^ )V7.<D/'^^ 
')f)-h%mu^ m\m,^<r>^ ^ )v:^/^9->) VP- 

6. ^mu^ m2mm<D^ ^ )v:^^^9-» vp- 

7. (»3^itO^^ ;^XyN'^->) VP- 7 
[0 0 3 0] ffltBSf^ii':7^;WXlS«^l=31^3 0 

VP-4 4-5Eff-r^o i/::. ^ ^ ^i^^^ofePI^KHJ^^CT 

#^i-^;uvp- 5 ^i^:^m^^mmm3 oxik^ 

^ o 

[0 0 3 1 ] '^^^l^X-^^ y 1 0 a- 1 0 nT* 

>vpS:f^i^<7)it^T--r;KciiSPi"^o -e^l^. 

^ ^y 1 0 a - 1 0 n t^^O^Jt 

30 ^ir^/'^^ -y<D^^^i'f^:bo 

[0 0 3 2] ^>:U'^^;^::^/N'^-> vpo^^^f^^tio 

^^xmrn-tho Ill4{i^^ ;i^x/N-^->|&«#ai 1 o 

1 (i. ;^;^/^'^->'VP^1^mx-r;n 1 a 
V u T;i.#^«j#fflf« 1 1 b tc^ttTlS#ji-^o 

[0 0 3 3] 1^«-r-y;n 1 a (i. P§)l*1Sit^i: 

^tL^tt*com$t^)S:^i:T^i^>:F§)i. »2^^Ft 

40 [ 0 0 3 4 ] V V r)l^^i^.Wmm 1 1 b ii. ^^ES^ 

ffiitLTi30> ;UXyN'3^->VPco-v';t''^^YX h 
^N'^ y ZfititmLxm^^^£^W^-t*ni^^ 

[0 0 3 5] ^kiiZ^M'T-y^)Ui 1 ai^zmMiZ"^ ^ 
/N-y y h V P S:iiSni-^^^<7)«Latcov^TiJi?^i-^o 
^'^^f y>>;i/-5^ 1 0 a- 1 0 n(i. ^^(OU 

- V 3 ^ . ^ V u r ;i-#-i-«J*if « 1 1 b 

50 -r-r^H 1 a <h(iSIJt^i*l^LTv^^o 
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[0 0 3 61 ^)\^^^^^y^V{zX^mM(r>^^)V:^^'^^ 
->VP1t«^i£^L7t:->VT;w#-^«i#1t«l Ihi 

[0 0 3 7] i-r. V V r^wS^i:/-^'- V 3 >^-^:i^ y 
1t^x-r;n 1 a<7)^i;>:FgrS, ^2^^pge. -tit 

[0 0 3 81 m5i±f74 )U:^/^^->^m^^l 1 T-<^ 

<o 

CS2] 3 >M«r5&-i:^^>&>**fJ»fi-^o JS«f^:?> 

[S3} ^tl^<7)vi;T;i-#^oe^gij|^1-^o 

CS4] »l-^^PS§i:it«c-r^o :^7=-^y T^S 4 60pMii 

[0 0 3 9] meitmn^mmtit^Lx. mfz^^i^i 

CS 1 1] m:^(D^mr--r)\^l 1 a<7)^n^i:ParetJt 
CS 1 2] b y h Lfviit^^av^-r y -/S 1 3 

CS 1 3) >k(omn-^i^mmbitm'i'^o 

CS 1 4] ^^mu-t^o 

CS 1 5] tso^^jiiie^±(c^)or < 

[0 0 4 0] i<Jl±lfe?gL7t: j:d^iJ!La¥iil-e. ffttco*^ 

(Dm^'k7^-tmxh:ho 

[0 0 4 11 mt^^i" ii-^O/N-^^ y V{±. >f 

;u;^'^^'y 2 CiRS-f •2>'^'i' ^^^^-^ y ^-7^ 40 

1 2X'y }V7s^:r. y ^i)^l:t>iXho Z,ZX^ ^ )V 

X-^oL -y ^S:^T^-<§^^•y *y ^^"r y Y<D^%i)^i: 
CP;^^oftp. h t t p. s m t pOV^-f :fL75^<7)/N'>^ 
y /f^j. y ^75?^TLrv^^eV^yN->^y hT* 

[0 0 4 21 fzfzX^. -?-tlmO/^•>>-■y :ft?BfeM 

C0:?'c*!>'!7^;U';:^^jr.'y^y'>f;U:5'l 2^:'!7^;UX^jLy 

±0/N-y yh, OS *) 7n«-<7)f^;!><7):^(7)/N-^ y h tii 
«$-li:^o ^ib\ dOl^'!?^ ;u;^^jL'y ^jg^Olf y h 50 



1 - 1 6 7 4 8 7 

[0 0 4 3 ] V<r>/<^y hit, v V 

[0 0 4 4] ^ LT. ^mnnu 1 3 a x^mm^ l 

/J!*. /N^^y h^j^iifiSBl 3 b(i. ^^;ux-^^ y^ 
tc5lo;{>^75-ofc/N*^ y htc^+LT. ffeiE<7)I P^y 

y YTh^^fS^'tho m^<^W\—(Oyu-<D^^'ryV\iZ 
ttLr*>lf -y b4:j5:r>2>o 
[0 0 4 51 ifz. f^'ry b^^iiMSFPl 3 b(i. IP 
-y h 0^m7^Ul^^tT»^^^•'>- y h P w 1 ^^fig-r 
-2)0 -^cof^. iS^^^^^^^y hPb. m^^^'ry hPw 
1 S:3§l®'t''2)o 

[0 0 4 61 ts:^. ««^- Kt::lS«LT. ^^TCtO 
a«*ii»fi-'i>»?S^- KIS:^^® 1 4 iiov^riif^i£ 

tcJioTI P^y ^0»!7>f y h 

LTv^^o e-y h;&?3:o7t:JS]^S^/N"^y hPbS^>*# 
^/>?>>-y hPw 1 ^§ttflXo7t^y^T> hS*2 0 

[0 0 4 71 ^^tci p-^ y rcois;s:tiov>rift?gi-^o 
|2l8(i I P-^^y y<7)1t^^7Ki-|aT*S)^o /<-v3>li 
4tryh-C\ ^ y 9-^^y Y^y ^(D'^^^^TT^'t^ IH 
L (Internet Header Length) «i4lf y ^y^S 

8lf'yhT% X;W"*7'y tf7.o°pS;0^^^$^n 
ho ""^mtl ^My YX\ -^^"ry Ymt^xm-ofz^^ 

[0 0 4 81 w^\m^\t 1 6 tf y h -e. isMffl -^mw^ 

hfz^iz^l^mxhitfzmxr-'-^ ^^'yJ^Oy'yy^ > 
h^^^^X^mizitm^fiho Flagii3lfy h T% "7 

^^^y h^y-ty hit I 3 y r'-^^'^Artt? 

[0 0 4 9] t t 1 (i8 t: y YX'T- ^ ^ Uif^ y ^ 

^i-o h 8 If y hr% -r- ^ ^ -7 ACOr"- 

^ y :$^-f-j. 'y ^-»f^<il 6 If *y YX^yY^Z^^-fh^:^ 
y ^^U^ir^rto 

[0 0 5 0] $&.«^rr KVX(i3 2 If ^y b T% ^^^ro I P 
T KVX^Tj^-To ^^-.^.r KUXIi3 2 If y h tr^l-.i^.co I 

PTKi-x«:^fo ^^'y^y\mm.^x. ^— »f7&^e 

Lr®^S^/N->>- y h P b . . 7 b P w 1 ao^* 

»««$R/<^ y h P w 2 Sr^^-r^So 
[0 0 5 1] ^X(::'^^^^:^^i y ^#Sl 2 Uou^rUi 
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[S 2 0] 'tX-\iZ^\\(D^ ^ )V7s^m.y ^ )V-9X'^^y 

CS2 13 ^V^v Ym.if-^\:XJ^i)-}^nt^^m'^'t 

{tTsy-y-rS 2 2Mt<o 

CS 2 2] TC P/N'^ 7 br-^^^oh t t p. ftp. s 
mt pOv>-rtV7&-0/N-y '7 \i)^}^ot^^'^m'tho 

[5 2 3] ^^)\^7.^:^-j^^'^no 'tis. 
[S2 4] mVk\.X^^^hii-}^^ii-^WS^'tho Sl^LT 
S 2 5 -^tT < o 

[S 2 5] ^^^(n^^^y \(r>\/^^ y^tho 
CS2 6] «?'T3*^i:^^:6^**iJ»f-r^o %%T <r^^^\t7sT 
yyS2 7^. -f-^'CJttttKfX'r -y/S 2 3^]^>l>o 
[S 2 7) V ^j§<;ZA<;)tf y h ^2:t;^o 
CS2 8] I P-^y ^'0:t7''> 3 KtCk: y h 

[ S 2 9 ] #S/^•>5r y h P w 1 . «?fe1f y h P w 

2 ^mrir^ho 
[S3 0] MKit*^tf^o 

[0 0 5 21 ^ictiifSOXxy-rs 2 3 O >f X ^ 

-g:L;t:SOETO»2^>c|EgfStJtgc-r 

[0 0 5 31 i>LMxmh^^<^j:<^fzh>^^'ryV(D>X 
Ol^U hi^^thLXMm'hit^^^nU'to -ti 

^ )i^{zmmLtztmWiL I P^*y ^0:tyv3 >0 7 

[0 0 5 41 ^fz^ ^ L^^^C7>:^+Tv^-^ 'y b;6^^^^7 t 

El 1 0 y >{ y (O^'^^m.^ir-'^ 

[S4 0) ^^"r y 1/W hSrlXOm-fo 

[S4 1) ^^"r y h^jT^^t^'^ v6-^flBf-r'2>o ^^"^ y h 
^70*#^{i$?.7L. •€-9T*JttttLl^;^T- y -/S 4 2-\ 
tT<o 

[S4 2] '>^;^>;/N-^~>»n^XPgrig<hJt«?-r>£>o 
[5 4 3] y^yY\^fzi)-}::^t-^mm'tho "cyW^fz 

^>g^(i;^x y ys 4 6--^. ^^"C^ttttiirXT-y ^'S 4 

4-^tf <o 



(6) #P3^ 1 1 - 1 6 7 4 8 7 

[s 4 4] ^m^\'^k\zWz'fo 

CS 4 5] »l^>:|fgr^^^^y^1-^o 
CS 4 6] P§^^n+ l^^CC-r-i)o 
[S4 7) '!7^;u;^^i y ^^T:^^i:'^*^S:^J»f-t^o 
^TOtt'g^liXf-^yT'S 4 9-^. ^dT'^ttntfXT-'y 
4 8'^1t<o 

[S4 8) mn + i:kfmi:^:^ y ^-r^o 

[S4 9] »>>r ;w>^iS^t*iJBfi-'^o 

[0 0 5 51 •^^t^'^^ y ^B$tl2:r^ tf y 

^y ^SrHM-r^^^. i-riHL'7-i'-;i^KS:lli*DL 

[0 0 5 61 HI 1 (i^i^K^/^'^ y h P b CO I P/n'-^t 
•y h*;)^^— 7 y b5:^-r[2|-e*'?>o 
-;^K?r liiSn-r^o -f-LT. ^:/'>3 >Mit*The Co 
piedflag=D . The option Classes=3 (^f 
it) . The option Number=1 {JB^^yf^^^"^ y b P b I 
^ ^ )U:^^:r.y ^^LtzZtiTj^-t^-h^) . Length= 
20 5 i:ia^i-^o 

[0 0 5 71 ifz^ Option Value t LT^l tf y h it^ 
imM^:r.y ^^Xm. B 2 \C y h Itm 2 ^ v ^ 

^3 tfy hti^3«^^aL'y ^*/}Si:«IJ*9a 
Xho 1-^t>-^. ;i^;^^i'y ^S:L?t;&^^*o;&^Olf 

[0 0 5 81 tLX. ^4 tfy h ^ ;^ ;^ 

^^^L. ^mm^j:ho. m^Lxy^^^m^iti i^x 
X. BMrnm^^'r y hPbimiTo ^i3> ms^^y hlX 

[0 0 5 91 ^kizw^^'-^y y h P w 1 Uov^Tgie^gt" 
ho ^ )y^:^'1-:^y ^ )\^-9X^ ^ )VXii^MLfzmkz 
iiM7Cti(i#^/N°y y h P w 1 ^iifSt. mm<r>^^}v 
Ts^jL y ^ 9 {ZitmmtWi^^'r y h P w2 ^-7;^^ 

[0 0 6 01 ^^^^"ry bPwKi. ^ ^ 

y h (hlWIfllti I P^ y 3 >^itOlf y h 

^Tjzir. ]XT<ny ^--^ y Yx^mjt\izw.^^fiho m 

-y'vs >|iJtSrThe Copied flag=0 > The option Class 
es=3 (#5feco^^ffl^Jt) . The option Nuinber=2 (« 
ft/N-^ y h Pw 1 Sr^i-n- K) . Length=3 tK^i" 

ho -etr. mi \xmmLfz^:r.y 9^/^(r)t':f'y 
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[0013 ] 

[Embodiments] An embodiment of the present invention will be 
described with reference to the drawings below. Fig. 1 shows 
the principles of a virus check network in accordance with 
the present invention. 

[0014] A virus check network 1 comprises virus checking 
devices 10a to lOn, client terminals 20a to 20m, and a virus 
information management station 30, and it checks for a virus 
so as to prevent infection by the virus. 

[0015] Virus patterns are stored in a virus pattern storage 
means 11. A virus checking means 12 compares a received 
packet with the stored virus patterns, and thus performs a 
virus check on a network side so as to check if a received 
packet is a packet Pa infected with a virus. 
[0016] If an infected packet Pa is detected, a packet . 
transmitting means 13 sets a predetermined bit contained in 
the infected packet Pa so as to indicate infection, and 
transmits the packet as an infection-indicated packet Pb. 
[0017] Based on the bit in the infection-indicated packet 
Pb, an infected packet detecting means 21 recognizes the 
packet as the infected packet Pa. A file execution control 
means 22 disables execution of a file corresponding to the 
infected packet Pa. 

[0018] A virus pattern information distributing means 31 
multicasts the latest virus pattern information to the virus 
checking devices 10a to lOn. The distributed virus pattern 
is stored in the virus pattern storage means 11. 
[0019] A virus pattern information managing means 32 
performs all management jobs including determination of virus 
pattern information and the updating thereof. Next, a 
description will be made of a case where the embodiment of 
the virus check network 1 of the present invention is adapted 
to a network on the Internet which comprises routers. The 
virus checking devices 10a to lOn employed according to the 
present invention are allocated to some routers in order to 
check for a virus on the network side. 
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[0020] Incidentally, the routers to which the virus checking 
devices are allocated shall be called virus checking routers. 
Fig. 2 schematically shows a network acconunodating the virus 
checking routers. The network 1 comprises routers Rl to R8 , 
the client terminals 20a to 20m, and the virus information 
management station 30 . 

[0021] In the drawing, the routers Rl, R2 , R3 , and R4 are 
the virus checking routers , and the other routers have only 
the capabilities of a normal router. The virus information 
management station 30 is connected to the virus checking 
router R2, and the client terminals 20a to 20m are connected 
to the virus checking router R4 . 

[0022] The virus checking routers Rl to R4 are assigned to 
jobs of checking for respective parts of a virus (leading 
part, intermediate part, and trailing part). The virus 
checking routers Rl to R4 are arranged so that a packet will 
pass through the routers at least once. 

[0023] Each of the virus checking routers Rl to R4 receives 
a virus pattern VP multicast from the virus information 
management station 30, and holds the latest virus information 
all the time. 

[0024] Each of the virus checking routers Rl to R4 compares 
a received packet with the held virus pattern VP. If a 
received packet is infected with a virus, a bit in the packet 
is set. 

[0025] At the same time, a warning packet Pwl is returned to 
a transmitting source, and a caution information packet Pw2 
is multicast to the virus checking routers Rl to R4 . 
[0026] Each of the virus checking routers Rl to R4 having 
received the caution information packet Pw2 detects the virus 
concerned as a top priority or discontinues coimnunication 
with an infecting source. The client terminals 20a to 20m 
always monitor a packet. If a bit indicating infection is 
set or if a received packet is the warning packet Pwl, a 
message is displayed in order to prompt a user tp delete the 
received file. 
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[0040] According to the foregoing procedure, a branch in a 
hierachical tree structure is created corresponding to each 
new kind of virus pattern VP, and then stored. Next, the 
configuration of the virus checking router 10 will be 
described. Fig. 7 shows the configuration of the virus 
checking router 10. 

[0041] As illustrated, a normal packet is checked for a 
virus by a virus checking filter 12 corresponding to the 
virus checking means 12 employed in the present invention. 
Herein, a packet that should be checked for a virus is any 
packet which specifies TCP and ftp, http, or smtp and whose 
check has not been completed. 

[0042] However, the other packets are passed through the 
virus checking filter 12 without being checked for a virus in 
efforts to lighten the load on the virus checking filter. A 
packet provided with an offset value equal to or larger than 
a certain value, that is, a packet to be transmitted late in 
a data flow is also passed. At this time, a bit indicating 
that a virus check has been completed is set. 
[0043] On the other hand, a virus pattern specified in the 
serial number hold information lib is updated with a virus 
pattern specified in a multicast packet. The virus pattern 
specified in the multicast packet is stored in the search 
table 11a according to a hierarchical tree structure. 
[0044] After a route calculator 13a calculates a route, a 
packet production and transmission block 13b produces the 
infection-indicated packet Pb by setting the bits in an 
option field of an IP header of a packet that is recognized 
to be infected with a virus during a virus check. The bits 
are set in subsequent packets to be transmitted within the 
same data flow. 

[0045] Moreover, the packet production and transmission 
block 13b produces a warning packet Pwl that is duly 
transmitted to a transmitting source from which the IP packet 
has been transmitted. Thereafter, the infection-indicated 
packet Pb and warning packet Pwl are transmitted. 
[0046] A caution mode designating means 14 that designates a 
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caution mode, so as to discontinue cominunication with an 
infecting source, will be described later. On the other 
hand, the client terminals 20 use software to monitor a bit 
that is contained in an IP header in order to indicate 
infection with a virus. Any of the client terminals 20 
having received the infection-indicated packet Pb that has 
the bit set and the warning packet Pwl displays for a user a 
message saying that a packet has been infected with a virus. 
[0047] Next, the structure of an IP header will be 
described. Fig. 8 shows the structure of an IP header. A 
version field is four bits long and specifies the format of 
an Internet header. An Internet header length (IHL) field is 
four bits long and specifies a header length in 32-bit words. 
A service type field is eight bits long and specifies service 
quality such as a throughput. An overall length field is 
sixteen bits long and specifies a length measured in octets. 
Incidentally, the overall length includes the lengths of the 
header and data. 

[0048] An identification number field is sixteen bits long 
and specifies a value which is assigned to a transmitting 
side so that the transmitting side can be identified with the 
value and which is used to assemble fragments of a datagram. 
A flag field is three bits long and specifies that division 
of a fragment is enabled or continued or that control is 
extended in a certain manner. A fragment offset field is 
thirteen bits long and specifies a position in a datagram 
occupied by a fragment. 

[0049] A time to live (ttl) field is eight bits long and 
specifies the minimum value of a time during which a datagram 
can stay in an Internet system. A protocol field is eight 
bits long and specifies a transport layer protocol according 
to which data in a datagram should be handed. A header 
checksum field is sixteen bits long and specifies a checksum 
to be adopted for a header. 

[0050] A start address field is 32 bits long and specifies 
an IP address of a start point. An end address field is 32 
bits long and specifies an IP address of an end point. An 
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option field has a variable length and can be defined 
arbitrarily by a user. According to the present invention, 
the option field is used to produce the infection-indicated 
packet Pb, warning packet Pwl, and caution information packet 
Pw2 • 

[0051] Next, the virus checking means 12 will be described. 
Fig. 9 is a flowchart describing a virus check procedure. 

S20: It is judged whether any other virus checking 
router has checked a packet. If any other virus checking 
router has checked a packet, control is passed to step S30. 
Otherwise, control is passed to step S21- 

S21: It is judged whether an offset value is equal to 
or larger than a certain value. If an offset value is equal 
to or larger than a certain value, control is passed to step 
S30. Otherwise, control is passed to step S22. 

S22: It is judged whether the packet is conformable to 
the TCP and any of the http, ftp, and smtp. If so, control 
is passed to step S23. If not, control is passed to step 
S30. 

S23: A virus check is performed. The details will be 
described in conjunction with Fig. 10. 

S24: It is judged whether the packet is infected with a 
virus. If the packet is infected with a virus, control is 
passed to step S28. Otherwise, control is passed to step 
S25. 

S25: One byte of the next packet is sampled. 

S26: It is judged whether the byte is the last byte of 
the packet. If the byte is the last byte, control is passed 
to step S2 7. Otherwise, control is returned to step S23. 

S27: A bit indicating that a virus check has been 
completed is set. 

S28: The bits in the option field of an IP header are 

set. 

S29: The warning packet Pwl and caution information 
packet Pw2 are issued. 

S30: A route is calculated. 
[0052] Next, the virus check routine to be executed at step 
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S2 3 above will be described. One byte of a packet is sampled 
and compared with the first hierarchical level in the search 
table 11a. If the same character as the one represented by 
the one byte is found in the first hierarchical level, the 
next one byte is sampled from the packet, and compared with 
the second hierarchical level subordinate to the branch in 
which the same character as the one represented by the one 
byte is found. 

[0053] If the same character as the one represented by one 
byte is not found, the next one byte is sampled from the 
packet and compared with the first hierarchical level again. 
After the comparison is repeated, if the same character as 
the one represented by the last one byte is found, the byte 
is judged to have been infected with a virus. The bits in 
the option field of the IP header are set. 

[0054] If a packet comes to an end in the course of search, 
the packet is judged not to have been infected with a virus. 
The packet is transferred to any other virus checking router 
responsible for other part of a virus pattern. Fig. 10 is a 
flowchart describing a procedure of a virus checking routine. 
S40: One byte is sampled from a packet. 

S41: It is judged whether the one byte is the last one 
byte. If the one byte is the last one byte, the routine is 
terminated. Otherwise, control is passed to step S42. 

S42: Another part of the packet is compared with a part 
of the virus pattern specified in the n-th hierarchical 
level . 

S43: It is judged whether the search is a hit. If the 
search is a hit, control is passed to step S46. Otherwise, 
control is passed to step S44. 

S44: The hierarchical level is returned to the first 
hierarchical level. 

S45: The first hierarchical level is checked. 

S46: The hierarchical level is set to the n+l-th 
hierarchical level . 

S47: It is judged whether the virus check is completed. 
If the virus check is completed, control is passed to step 
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S49. Otherwise, control is passed to step S48. 

S48: The n+l-th hierarchical level is checked. 

S49: It is judged that the packet has been infected 
with a virus, 

[0055] Next, bits to be set at the time of a virus check 
will be described. When a virus checking router performs a 
virus check, the value specified in the IHL field is 
incremented by one in order to preserve the option field. 
The bits in the preserved option field are set. 
[0 056] Fig. 11 shows the format of an IP packet adopted for 
the infection-indicated packet Pb. First, the value in the 
IHL field is incremented by one. The copied flag bit in the 
optical field is set to 0. The option class bits therein are 
set to represent 3 (field preserved for the future), the 
option number bits therein are set to represent 1 (code 
indicating that the infection-indicated packet Pb has 
undergone a virus check), and the length bits are set to 
represent 5. 

[0057] Moreover, as an option value, the first bit is 
assigned to an indication that the first part of a packet has 
been, or has not been, checked for the first part of a virus 
pattern. The second bit is assigned to an indicating that 
the second part of the packet has been, or has not been, 
checked for the second part of the virus pattern. The third 
bit is assigned to an indication that the third part of the 
packet has been, or has not been, checked for the third part 
of the virus pattern. Namely, these bits represent the 
information indicating whether a virus check has been 
performed. 

[0058] The fourth bit indicates whether the packet has been 
infected with a virus or not. If the packet has not been 
infected with a virus, the fourth bit is set to 0. If the 
packet has been infected with a virus, the fourth bit is set 
to 1. This signifies that the packet is the infection- 
indicated packet Pb. The fifth and subsequent bits represent 
a serial number. 

[0059] Next, the warning packet Pwl will be described. 
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After the virus checking router has detected a virus, the 
warning packet Pwl is transmitted to the transmitting source 
concerned. The caution information packet Pw2 is multicast 
to the surrounding virus checking routers. This is intended 
to allow discovery of a virus at an early stage and to 
prevent expansion of infection with the virus. 
[0060] The bits in the option field of the warning packet 
Pwl are set similarly to those in a packet in which a virus 
is detected, and distributed to the transmitting source 
according to a format described below. Fig. 12 shows the 
format for the warning packet Pwl. First, the value 
specified in the IHL field is incremented by one. The copied 
flag bit in the option field is set to 0. The option class 
bits therein are set to represent 3 (field preserved for the 
future). The option number bits are set to represent 2 (code 
indicating the warning packet Pwl ) . The length bits are set 
to represent 3. The option value indicating, as described in 
conjunction with Fig. 11, whether a virus check has been 
completed or not is appended. Moreover, the end address is 
regarded as the address of an infecting source. 
[0061] Next, processing to be performed on a client side 
will be described. Fig. 13 shows the configuration of the 
client terminal 20. The infected packet detecting means 21 
employed in the present invention is included in a LAN driver 
21a, and the file execution control means 22 therein is 
included in a TCP/IP driver 22b. 

[0062] The LAN driver 21a checks a virus check bit in each 
packet transmitted during a data flow, and then judges 
whether the bit is set. The TCP/IP driver 22b is notified of 
the result of the judgment. 

[0063] In response to the notification that the bit is set, 
the TCP/IP driver 22b disables execution of a file concerned 
and displays a message 20-1 saying that the file will be 
deleted. 



